######################################################################
#
#	Make file to be installed in /etc/raddb/certs to enable
#	the easy creation of certificates.
#
#	See the README file in this directory for more information.
#
#	$Id: 0613df99502989a6d5751eb8b2088000c58cae98 $
#
######################################################################

DH_KEY_SIZE	= 2048

#
#  Set the passwords
#
PASSWORD_SERVER	= `grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
PASSWORD_CA	= `grep output_password rootca.cnf | sed 's/.*=//;s/^ *//'`
PASSWORD_CLIENT	= `grep output_password client.cnf | sed 's/.*=//;s/^ *//'`

USER_NAME	= `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`
CA_DEFAULT_DAYS = `grep default_days rootca.cnf | sed 's/.*=//;s/^ *//'`

CA_CERTS_TARGET = rootca 2ndca 3thca
SERVER_CERTS_TARGET =  3server server
CLIENT_CERTS_TARGET =  client 3client
ALL_CERTS = $(CA_CERTS_TARGET) $(SERVER_CERTS_TARGET) $(CLIENT_CERTS_TARGET)
ALL_TARTGET = index.txt serial dh random $(ALL_CERTS) maketar

CA_FILE = rootca.crt rootca.key 2ndca.crt 2ndca.key 3thca.crt 3thca.key mix2.crt mix3.crt
SERVER_FILE = server.crt 3server.crt server.key 3server.key 
CLIENT_FILE = client.crt 3client.crt client.key 3client.key
ALL_TAR_FILE = $(CA_FILE) $(SERVER_FILE) $(CLIENT_FILE) usage
TARFILE=$(ALL_TAR_FILE)
######################################################################
#
#  Make the necessary files, but not client certificates.
#
######################################################################
.PHONY: all
all:  $(ALL_CERTS)

cacert: $(CA_CERTS_TARGET)
servercert:$(SERVER_CERTS_TARGET)
clientcert:$(CLIENT_CERTS_TARGET)

.PHONY: client
client: client.pem

.PHONY: 3client
3client: 3client.pem  3client.vrfy

.PHONY: rootca
rootca: rootca.der

.PHONY: 2ndca
2ndca: 2ndca.pem 2ndca.vrfy

.PHONY: 3thca
3thca: 3thca.pem 3thca.vrfy

.PHONY: server
server: server.pem server.vrfy

.PHONY: 3server
server: 3server.pem 3server.vrfy
######################################################################
#
#  Diffie-Hellman parameters
#
######################################################################
dh:
	openssl dhparam -out dh $(DH_KEY_SIZE)

######################################################################
#
#  Create a new self-signed CA certificate
#
######################################################################
rootca.key rootca.pem: rootca.cnf
	@[ -f index.txt ] || $(MAKE) index.txt
	@[ -f serial ] || $(MAKE) serial
	openssl req -new -x509 -keyout rootca.key -out rootca.pem \
		-days $(CA_DEFAULT_DAYS) -config ./rootca.cnf

rootca.der: rootca.pem
	openssl x509 -inform PEM -outform DER -in rootca.pem -out rootca.der
	@[ -f rootca.crt ] || cp rootca.pem rootca.crt

######################################################################
#
#  Create a new server certificate, signed by the root CA.
#
######################################################################
server.csr server.key: server.cnf
	openssl req -new  -out server.csr -keyout server.key -config ./server.cnf

server.crt: server.csr rootca.key rootca.pem
	openssl ca -batch -keyfile rootca.key -cert rootca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf

server.p12: server.crt
	openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)

server.pem: server.p12
	openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)

.PHONY: server.vrfy
server.vrfy: rootca.pem
	@openssl verify -CAfile rootca.pem server.pem

######################################################################
#
#  Create a new client certificate, signed by the root CA
#  certificate.
#
######################################################################
client.csr client.key: client.cnf
	openssl req -new  -out client.csr -keyout client.key -config ./client.cnf

client.crt: client.csr rootca.pem rootca.key
	openssl ca -batch -keyfile rootca.key -cert rootca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

client.p12: client.crt
	openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

client.pem: client.p12
	openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
	cp client.pem $(USER_NAME).pem

.PHONY: client.vrfy
client.vrfy: rootca.pem client.pem rehash
	openssl verify -CApath . client.pem


######################################################################
#
#  Create a second CA certificate, signed by the above CA.
#
######################################################################
2ndca.csr 2ndca.key: 2ndca.cnf
	openssl req -new  -out 2ndca.csr -keyout 2ndca.key -config ./2ndca.cnf

2ndca.crt: 2ndca.csr rootca.key rootca.pem
	openssl ca -batch -extensions v3_ca  -keyfile rootca.key -cert rootca.pem -in 2ndca.csr  -key $(PASSWORD_CA) -out 2ndca.crt -config ./2ndca.cnf

2ndca.p12: 2ndca.crt
	openssl pkcs12 -export -in 2ndca.crt -inkey 2ndca.key -out 2ndca.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)

2ndca.pem: 2ndca.p12
	openssl pkcs12 -in 2ndca.p12 -out 2ndca.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)

.PHONY: 2ndca.vrfy
2ndca.vrfy: rootca.pem
	@openssl verify -CAfile rootca.pem 2ndca.pem


######################################################################
#
#  Create a thrid CA certificate, signed by the above CA.
#
######################################################################
3thca.csr 3thca.key: 3thca.cnf
	openssl req -new  -out 3thca.csr -keyout 3thca.key -config ./3thca.cnf

3thca.crt: 3thca.csr 2ndca.key 2ndca.pem
	openssl ca -batch  -keyfile 2ndca.key -cert 2ndca.pem -in 3thca.csr  -key $(PASSWORD_CA) -out 3thca.crt -extensions xpserver_ext -extfile xpextensions -config ./3thca.cnf

3thca.p12: 3thca.crt
	openssl pkcs12 -export -in 3thca.crt -inkey 3thca.key -out 3thca.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)

3thca.pem: 3thca.p12
	openssl pkcs12 -in 3thca.p12 -out 3thca.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)

.PHONY: 3thca.vrfy
3thca.vrfy: rootca.pem 2ndca.pem
	@cat 2ndca.crt > mix2.crt
	@cat rootca.pem >> mix2.crt
	@openssl verify -CAfile mix2.crt 3thca.pem

######################################################################
#
#  Create a third CA certificate, signed by the 3thca CA.
#
######################################################################
3server.csr 3server.key: 3server.cnf
	openssl req -new  -out 3server.csr -keyout 3server.key -config ./3server.cnf

3server.crt: 3server.csr 3thca.key 3thca.pem
	openssl ca -batch -keyfile 3thca.key -cert 3thca.pem -in 3server.csr  -key $(PASSWORD_CA) -out 3server.crt -extensions xpserver_ext -extfile xpextensions -config ./3server.cnf

3server.p12: 3server.crt
	openssl pkcs12 -export -in 3server.crt -inkey 3server.key -out 3server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)

3server.pem: 3server.p12
	openssl pkcs12 -in 3server.p12 -out 3server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)

.PHONY: 3server.vrfy
3server.vrfy: rootca.pem 2ndca.pem 3thca.pem
	@cat 3thca.crt > mix3.crt
	@cat 2ndca.crt >> mix3.crt
	@cat rootca.pem >> mix3.crt
	@openssl verify -CAfile mix3.crt 3server.pem

######################################################################
#
#  Create a new client certificate, signed by the 3thca CA
#  certificate.
#
######################################################################
3client.csr 3client.key: 3client.cnf
	openssl req -new  -out 3client.csr -keyout 3client.key -config ./3client.cnf

3client.crt: 3thca.csr 3thca.pem 3client.key 3client.csr
	openssl ca -batch -keyfile 3thca.key -cert 3thca.pem -in 3client.csr  -key $(PASSWORD_CA) -out 3client.crt -extensions xpclient_ext -extfile xpextensions -config ./3client.cnf

3client.p12: 3client.crt
	openssl pkcs12 -export -in 3client.crt -inkey 3client.key -out 3client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

3client.pem: 3client.p12
	openssl pkcs12 -in 3client.p12 -out 3client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

.PHONY: 3client.vrfy
3client.vrfy: 3server.pem 3client.pem rehash
	openssl verify -CApath . 3client.pem
	@cat 3thca.crt > mix3.crt
	@cat 2ndca.crt >> mix3.crt
	@cat rootca.pem >> mix3.crt
	@openssl verify -CAfile mix3.crt 3client.pem

######################################################################
#
#  Miscellaneous rules.
#
######################################################################
index.txt:
	@touch index.txt

serial:
	@echo '01' > serial

rehash:
	for name in *.pem; do hash_file=`openssl x509 -hash -noout -in "$$name"`.0; rm -f "$$hash_file" ; ln -s "$$name" "$$hash_file" ; done
random:
	@if [ -c /dev/urandom ] ; then \
		ln -sf /dev/urandom random; \
	else \
		date > ./random; \
	fi

info:
	@echo "****************************************************************************"
	@echo "what make usage $(all)"
	@echo "****************************************************************************"
	@echo ""
	@echo "make print"
	@echo "make printca"
	@echo "make clean"
	@echo "make destroycerts"
	@echo "\n\n"
	@echo "****************************************************************************"
	@echo "certification chains"
	@echo "****************************************************************************"
	@echo "multica2.pem include ca.pem server.pem"
	@echo "multica3.pem include ca.pem server.pem 3server.pem"
	@echo "ca.pem ->server.pem->3server.pem->3client.pem"
	@echo "ca.pem ->server.pem"
	@echo "ca.pem ->client.pem"
	@echo "\n\n"
	@echo "****************************************************************************"
	@echo "certification password"
	@echo "****************************************************************************"
	@echo ""
	@echo "ca password $(PASSWORD_CA)" > usage.passwd
	@echo "server password $(PASSWORD_SERVER)" >> usage.passwd
	@echo "client password $(PASSWORD_CLIENT)" >> usage.passwd
	@cat usage.passwd
	
print:
	openssl x509 -text -in server.crt
	openssl x509 -text -in 3server.crt

connect:
	openssl s_client -connect 172.18.135.200:7838 -CApath .

printca:
	openssl x509 -text -in rootca.pem

maketar: 3client.pem client.pem server.pem 3client.vrfy 3server.vrfy
#	@echo "whtat 's $(TARFILE)"
	@echo "start tar all certificate file"
	@tar -czvf cert_file.tar.bz $(TARFILE)

clean:destroycerts
	rm -f *~ *old *.bak client.csr client.key client.crt client.p12 client.pem

#
#	Make a target that people won't run too often.
#
destroycerts:
	rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
			serial* random *\.0 *\.1  *.tar.bz usage.passwd
